RSA Security logo

RSA BSAFE Cert-C
API Reference

certpath.h

Go to the documentation of this file.
00001 /*
00002 * Copyright (c) RSA Security Inc., 1999-2003.  All rights reserved.
00003 * This work contains proprietary, confidential, and trade secret
00004 * information of RSA Security Inc.  Use, disclosure or reproduction
00005 * without the express written authorization of RSA Security Inc. is
00006 * prohibited.
00007 */
00008 
00009 #ifndef HEADER_BSAFE_CERTC_CERTPATH
00010 #define HEADER_BSAFE_CERTC_CERTPATH 1
00011 
00018 #include "basetype.h"
00019 #include "certext.h"     /* for REASON_CODEs (CR_*) */
00020 
00021 #ifdef __cplusplus
00022 extern "C" {
00023 #endif
00024 
00025 /* Certificate revocation status values */
00026 #define CERT_NOT_REVOKED        0       /* certificate has not been revoked */
00027 #define CERT_REVOKED            1       /* certificate has been revoked     */
00028 #define CERT_REVOCATION_UNKNOWN 2       /* certificate status is unknown    */
00029 
00030 /* Certificate revocation evidence types */
00031 #define CRE_NONE            0 /* no evidence                            */
00032 #define CRE_CRL             1 /* evidence is pointer to CRL_EVIDENCE    */
00033 #define CRE_OCSP            2 /* evidence is pointer to OCSP_EVIDENCE   */
00034 #define CRE_ERROR           3 /* evidence is pointer to int             */
00035 #define CRE_TRANSPORT_ERROR 4 /* evidence is pointer to PKI_STATUS_INFO */
00036 
00061 typedef struct {
00062   CRL_OBJ  crl;      /* CRL for a given cert           */
00063   LIST_OBJ certList; /* certs necessary for validation */
00064   LIST_OBJ crlList;  /* CRLs necessary for validation  */
00065 } CRL_EVIDENCE;
00066 
00083 typedef struct {
00084   REASON_CODE      reason;  /* one of CR_* in certext.h                    */
00085   GENERALIZED_TIME time;    /* time at which cert was revoked for "reason" */
00086 } OCSP_REVOCATION_INFO;
00087 
00146 typedef struct {
00147   unsigned int          flags;             /* one of OCSP_EVIFLAG_*                    */
00148   GENERALIZED_TIME      producedAt;        /* production time of this response         */
00149   GENERALIZED_TIME      thisUpdate;        /* time at which status known to be correct */
00150   GENERALIZED_TIME     *pNextUpdate;       /* (optional) time at which newer           */
00151                                            /*   info will be available                 */
00152   EXTENSIONS_OBJ        singleExtensions;  /* additional info about checked cert       */
00153   OCSP_REVOCATION_INFO *revocationInfo;    /* (optional) additional revocation info    */
00154 } OCSP_EVIDENCE;
00155 
00156 /*
00157  * The client provided the optional nonce extension in the request, but no
00158  * nonce was returned by the OCSP responder.
00159  */
00160 #define OCSP_EVIFLAG_NONCE_IGNORED 0x00000001
00161 
00249 typedef struct {
00250   int     status;             /* certificate status */
00251   int     evidenceType;       /* type of evidence */
00252   POINTER evidence;           /* evidence of status */
00253 } CERT_REVOCATION;
00254 
00255 /* Certification path processing algorithms. */
00256 #define PA_X509_V1    1 /* uses only X.509 v1 certificate fields */
00257 #define PA_PKIX       2 /* compatible with PKIX specification RFC 2459 */
00258 #define PA_PKIX2      3 /* compatible with draft son-of-2459  */
00259 #define _PA_MAX       3 /* Highest PA_* value.  Not for application use */
00260 
00261 /* Certification path processing options. These flags are used to turn off
00262    certain checks in path building / validation. Individual flags may be
00263    combined using "bit-wise or" (|). Not all flags apply to every algorithm.
00264 
00265    The high-order four bits of the pathOptions are reserved for service-
00266    specific flags. The interpretation of service-specific flags is
00267    determined by the particular certificate-path service provider to which
00268    Cert-C routes the operation. The remaining unassigned bits are reserved
00269    for future use.
00270 
00271   PF_IGNORE_SIGNATURE
00272     Setting this flag causes path processing not to verify certificate
00273     signatures. Unless signatures are known to be valid by out-of-band
00274     means, disabling this check is not recommended.
00275 
00276   PF_IGNORE_VALIDATION_TIME
00277     Setting this flags causes path processing not to check the validity
00278     period contained within each certificate.
00279 
00280   PF_IGNORE_REVOCATION
00281     Setting this flag causes path processing not to check the
00282     revocation status of each certificate.
00283 
00284   PF_IGNORE_NAME_CHAINING
00285     Setting this flag causes path processing not to verify the
00286     subject name / issuer name linkage between adjacent certificates
00287     in the path.
00288 
00289   PF_IGNORE_NAME_CONSTRAINTS
00290     Setting this flag causes path processing not to verify that the
00291     subject name and subjectAltName extension is consistent with the
00292     name constraints contained in the path certificates.
00293 
00294   PF_IGNORE_BASIC_CONSTRAINTS
00295     Setting this flag causes path processing not to verify the path
00296     length established by the basic constraints extensions in the
00297     path certificates.
00298 
00299   PF_IGNORE_KEY_USAGE
00300     Setting this flag causes path processing not to enforce key usage
00301     extensions contained within certificates, even if marked critical.
00302     In particular, the CertSign flag will be ignored.
00303 
00304   PF_IGNORE_CRITICALITY
00305     Setting this flag causes path processing not to fail if any
00306     unrecognized critical extensions are encountered in the path.
00307 
00308   PF_IGNORE_UID_CHAINING
00309     Setting this flag causes path processing not to verify the
00310     subject unique identifier / issuer unique identifer linkage
00311     between adjacent certificates in the path.
00312 
00313   PF_IGNORE_KEY_ID_CHAINING
00314     Setting this flag causes path processing not to verify the
00315     subject key identifier / authority key identifier linkage
00316     between adjacent certificates in the path.
00317 
00318   PF_IGNORE_CRL_DP
00319     Setting this flag cause path processing not to use information
00320     in CRL Distribution Points extensions when checking certificate
00321     revocation status.
00322 
00323   PF_FORCE_CRL_DP
00324     Setting this flag cause path processing to use information
00325     in CRL Distribution Points extensions first when checking certificate
00326     revocation status.
00327 
00328   PF_IGNORE_AIA
00329     Setting this flag causes path processing not to use information
00330     in Authority Information Access extensions when building or
00331     validating certificate paths.
00332 
00333   PF_IGNORE_CRL_NUMBER
00334     Setting this flag causes path processing not to use CRL Number
00335     extensions when selecting the most current CRL.
00336 
00337   PF_IGNORE_DELTA_CRL
00338     Setting this flag causes path processing not to use delta CRLs
00339     when checking certificate revocation status. A complete CRL
00340     must be used instead.
00341 
00342   PF_IGNORE_CRL_IDP
00343     Setting this flag causes path processing not to use Issuing Distribution
00344     Point information contained in a CRL. It also causes the Certificate
00345     Issuer extension in CRL entries to be ignored.
00346 
00347 The following flags (and their meanings) only apply when
00348 pathAlgorithm is set to PA_PKIX2.
00349 
00350   PF_IGNORE_POLICY
00351     Setting this flag cause path processing not to consider *any*
00352     policy or policy mapping information in the certificates.
00353 
00354   PF_INHIBIT_POLICY_MAPPING
00355     Setting this flag causes policy mapping to be dis-allowed
00356     in the certification path.
00357 
00358   PF_REQUIRE_EXPLICIT_POLICY
00359     Setting this flag indicates the certificate path MUST be
00360     valid for at least one of the policies in the users initial
00361     policy set.
00362 
00363   PF_INHIBIT_ANYPOLICY
00364     Setting this flag indicates the anyPolicy OID should not
00365     be processed if it is included in a certificate.
00366 
00367 
00368 */
00369 #define PF_IGNORE_SIGNATURE           0x00000001
00370 #define PF_IGNORE_VALIDATION_TIME     0x00000002
00371 #define PF_IGNORE_REVOCATION          0x00000004
00372 #define PF_IGNORE_NAME_CHAINING       0x00000008
00373 #define PF_IGNORE_NAME_CONSTRAINTS    0x00000010
00374 #define PF_IGNORE_BASIC_CONSTRAINTS   0x00000020
00375 #define PF_IGNORE_KEY_USAGE           0x00000040
00376 #define PF_IGNORE_CRITICALITY         0x00000080
00377 #define PF_IGNORE_UID_CHAINING        0x00000100
00378 #define PF_IGNORE_KEY_ID_CHAINING     0x00000200
00379 #define PF_IGNORE_CRL_DP              0x00000400
00380 #define PF_IGNORE_AIA                 0x00000800
00381 #define PF_IGNORE_CRL_NUMBER          0x00001000
00382 #define PF_IGNORE_DELTA_CRL           0x00002000
00383 #define PF_IGNORE_CRL_IDP             0x00004000
00384 #define PF_IGNORE_POLICY              0x00008000
00385 #define PF_FORCE_CRL_DP               0x00010000
00386 #define PF_INHIBIT_POLICY_MAPPING     0x00020000
00387 #define PF_REQUIRE_EXPLICIT_POLICY    0x00040000
00388 #define PF_INHIBIT_ANYPOLICY          0x00080000
00389 
00390 
00391 #define PF_VALIDATION_TIME_NOW        0
00392 
00393 /* Special value that is used to denote that any policy is accepted */
00394 #define ANY_POLICY                    NULL_PTR
00395 
00665 typedef struct {
00666   int      pathAlgorithm;      /* path processing algorithm */
00667   UINT4    pathOptions;        /* modify base path algorithm */
00668   LIST_OBJ trustedCerts;       /* "root" certificates */
00669   LIST_OBJ policies;           /* acceptable policies */
00670   UINT4    validationTime;     /* path must be valid at this time */
00671   SERVICE  database;           /* database(s) for path processing */
00672 } CERT_PATH_CTX;
00673 
00674 
00770 int C_BuildCertPath (
00771   CERTC_CTX      ctx,                /* Cert-C context handle */
00772   CERT_PATH_CTX *pathCtx,            /* path processing context */
00773   POINTER        startObject,        /* starting point for the path */
00774   LIST_OBJ       certPath,           /* resulting certification path */
00775   LIST_OBJ       crlList,            /* CRLs needed to verify the path */
00776   LIST_OBJ       crlCerts,           /* Additional certs to verify CRLs */
00777   LIST_OBJ       policyInfoList);    /* list of policy information */
00778 
00821 int C_GetNextCertInPath (
00822   CERTC_CTX      ctx,            /* Cert-C context */
00823   CERT_PATH_CTX *pathCtx,        /* path processing context */
00824   POINTER        startObject,    /* starting point for the path */
00825   LIST_OBJ       certList);      /* list where certs are added */
00826 
00876 int C_ValidateCert (
00877   CERTC_CTX      ctx,                /* Cert-C context */
00878   CERT_PATH_CTX *pathCtx,            /* path processing context */
00879   CERT_OBJ       cert,               /* starting cert */
00880   B_KEY_OBJ      validationKey);     /* signature validation key */
00881 
00957 int C_CheckCertRevocation (
00958   CERTC_CTX        ctx,             /* Cert-C context */
00959   CERT_PATH_CTX   *pathCtx,         /* path processing context */
00960   CERT_OBJ         cert,            /* cert to be checked */
00961   CERT_REVOCATION *revocation);     /* revocation status of cert */
00962 
00980 void C_DestroyCRLEvidence(
00981   CRL_EVIDENCE **crlEvidence);
00982 
01009 void C_DestroyOCSPEvidence(
01010   OCSP_EVIDENCE **ocspEvidence);
01011 
01012 #ifdef __cplusplus
01013 }
01014 #endif
01015 
01016 #endif /* HEADER_BSAFE_CERTC_CERTPATH */
01017


RSA BSAFE® Cert-C 2.7 API Reference